Custom menus are so simple to set up with just a few lines of code needed to get started, and then you can make use of the Appearance -> Menus section within the admin. A simple drag and drop system which allows you to create menus consisting of page, post, category, custom post type, custom taxonomy and custom links. It's so much more flexible.

To get started with custom menus I recommend reading Justin Tadlock's tutorial which tells you everything you need to know – WordPress custom menus. Well, almost everything, there is one item missing from his tutorial (although it may have been added since I last read through it), which is how he has the CSS class, link relationship and description showing in his second screenshot. To get this you need to open up the screen options section up at the top of the screen and you'll see the extra boxes that you can tick to display (or not as the case may be).

We now use custom menus on every new site we set up, and we even use one for the site map as it makes more sense to do so. If you've not already started using them then I highly recommend learning and switching to them.

Rather than writing out and repeating how to do everything, I've decided to just link to the tutorials and sites that I used to learn these features, and just add my own notes instead. However, of course I'm always happy to answer questions and help via the comments section.

Featured Images

This came in WordPress 2.9. Before this specific option, you could still create a featured image by attaching an image to a page or post via the media uploader and then using a bit of querying to pull it out and display it. Trouble was, it was a bit of a hassle and hard to explain to clients or less advanced users. Bring on the Featured Image. A way to allow posts and/or pages to have a single specified image that just required one line of code in your theme file to display.

I think the best post on this subject has to be from Mark Jaquith – Post Thumbnail Images (note, this was their name before it changed to 'Featured Image'). He covers everything you really need to know.

Featured images brings a whole host of new options. It's far simpler to create a photo blog with them for a start, and I can remember helping people out in the past where they used the categories and posts system to hold product details for a catalogue style site. Before it was a case of upload and attach the product photo (or several) to the post, and explain to the client to put the main one at the top using the order system, so that you could code in the theme to pull the first one out larger, and then perhaps show small thumbnails of the rest. Now you can simply tell them to use the featured image which can easily be displayed in product listings, and as a larger image on the main product page, with any additional images added via the media uploader and displayed as thumbnails.

This is just a simple example of how this can be used

What is Kashflow?

Kashflow is essentially accounting software like Sage, but it's based online and, speaking of experience with Sage, is far simpler to use. Everything is based online which means that you can access your accounts from any computer, you can share your login with your accountant and if you own an iPhone, there is an app to allow you easy access via your mobile phone.

Business Accounting and Administration

Kashflow doesn't just do accounts, it also allows you to store all of your clients' details, allows you to create invoices and email them direct to the clients and/or save them as PDFs. You can create quotes and projects which can have invoices and quotes assigned to it as well.

A major benefit that we've found is the repeat billing option, which means setting up an invoice for a client and then setting it to go out automatically every X months or every year. This is such a time saver, especially for small bills for domain renewals, or small hosting accounts. We just check through once a month to make sure the next few weeks are accurate and up to date, and leave them to go. The only work needs to be done when payment is made and we just mark it off as paid.

All of the invoices created on Kashflow are automatically added to your turnover once they're paid. You can also save rates and discount rates for individual clients making it easier to remember who pays what.

You also have sales and purchase types, allowing you to set up specific 'types' of products / jobs, and you can choose to assign prices to them as well, again saving a lot of time when you just select the correct product to add to the invoice.

Finally the bank reconciliation is also a great feature, which allows you to reconcile your bank statement with Kashflow to ensure nothing is missed.

VAT

(This section is probably a bit easier to understand if you're British!) The support for VAT registered businesses is great too. On the front overview page you can instantly see your VAT liability for the current quarter, and you can set up your details for HMRC and then submit your VAT directly from Kashflow when you're ready to do so.

Of course you don't have to be VAT registered to use Kashflow, as I wasn't when I first started using it as a sole trader. It's just another great feature that's available.

Accounting Reports

Finally the number of accounting reports available are great. To be honest I still don't know what half of them mean but then again I know what I need to see and that's our profit and loss! We give our login to our accountant too and he uses other various reports to get information for our end of year accounts. He'd never used Kashflow to start with but has even remarked on how easy it is to use and has got the hang of it quite quickly. We've had a few fun and games finding the wrong payments in the wrong payment types, but it's very easy to shift payments from one type to another to ensure the accounts are correct.

Free 60 day trial

So if you're in business then I cannot recommend Kashflow enough. Before I started using it my argument would be that I couldn't afford to pay out for accounting software when I could do it myself in Excel or my own written accounts software. However, the £15.99 + VAT per month cost is minimal compared to the time saved, which frees us up to do more work and earn more than the cost of Kashflow.

You can try it for free for 60 days, you don't even have to enter your card details (unlike most trial offers). You can simply set up an account, give it a go and if you like it, decide if it's worth the monthly cost. There's no minimum requirement on accounts either, so you don't have to sign up for a year or anything like that either. If you also sign up via my Kashflow link and decide to continue with using it, then you will actually save £1 off the monthly cost (this is continuous, not just a one off). This means £14.99 + VAT per month, and saves you £12 + VAT per year.

So it's certainly worth looking at. So go take a look

(Feel free to ask me any questions below with regards to it if you want and I'll do my best to answer them!).

Recently a friend of mine who uses the eCommerce package Tradingeye had come under a couple of attacks due to vulnerabilities in the software. The main problem was that the admin username and password were not secured and were easily exploited. (I've written before about secure PHP and SQL injections and this only introduces some of what needs to be done to secure a database driven website). Eventually, after a lot of Tradingeye customers were getting hacked, a patch was released but it wasn't suitable as it encoded not only the single and double quotes (which were the main culprits) but also the less than, greater than and equals signs. It also caused further problems with any HTML code added via the admin, as this was getting encoded and therefore being stored and output as plain text rather than HTML code.

So as a favour to him I've taken a look through the files. Someone else had already released a basic fix which uses the mysql_real_escape_string() to secure the admin username and password during login, however I took this and have added to it to secure all _GET, _POST, _COOKIE, _SESSION, _FILES and _SERVER variables (essentially all data that a user can control/modify), as looking through the code I've seen a number of places where some of these are used without any sanitising. It's worth noting that it's very easy to change the value of any of these variables (including a _SESSION variable) if you have the right tools. Never assume anything is safe.

I'm also documenting here the changes I've made to allow anyone else who uses Tradingeye to copy and update their own site. I would recommend it as a temporary fix until Tradingeye, releases an official patch. Unfortunately with limited time I can only do a quick fix, but it's an improvement over Tradingeye's current fix and improves the security of the existing system. Please note, the line numbers given are not necessarily accurate to everyone's installation.

If you're not confident in making these changes yourself then my company, DSA Media Limited, is happy to make the changes for you for a small fee to cover our time. Please read the company's news post on the subject for further information.

The Fixes

NOTE: As with any updates, I recommend that you take a backup of your files so that if something does go wrong you can reupload these and revert back to the original files.

1. Create a new file under the 'libs' directory, call it db.php and add the following code:¹

<?php
class db extends database
{
   function escape($string){
      $hasMagicQuotesEnabled = (bool)get_magic_quotes_gpc();
      $canEscapeString = function_exists('mysql_real_escape_string');
      if($hasMagicQuotesEnabled){
         $string = stripslashes($string);
      }
      if($canEscapeString){
         if($escaped = @mysql_real_escape_string($string)){
            return $escaped;
         }
      }
      $replacements = array(
         '\\' => '\\\\',
         "\0" => '\\0',
         "\n" => '\\n',
         "\r" => '\\r',
         "'" => "\\'",
         '"' => '\\"',
         "\x1a" => '\\Z',
      );
      return strtr($string, $replacements);
   }
   function quickClean($global) {
      foreach($global AS $key => $value) :
         $global[$key] = $this->escape($value);
      endforeach;
      return $global;
   }
}
?>


2. Then open up the configuration.php file in the root directory. Go to line 24, and insert below the line ²

include_once("libs/database.php");

a new line containing

include_once("libs/db.php");

3. Then in the configuration.php file still, go to line 239 and change the code from

$obDatabase = new database();

to

$obDatabase = new db();

4. Open up modules/index.php and insert the following code after the initial comments (so about line 9)

/* Sanitising user input from post, get, cookie, session, server and files */
if (@$obDatabase->escape('blah')) : // just checks that the mysql connection is still open
   $_POST = $obDatabase->quickClean($_POST);
   $_GET = $obDatabase->quickClean($_GET);
   $_COOKIE = $obDatabase->quickClean($_COOKIE);
   $_SESSION = $obDatabase->quickClean($_SESSION);
   $_SERVER = $obDatabase->quickClean($_SERVER);
endif;

5. Open up modules/adminindex.php and insert the above code on line 21 just above the comment "# Setting up all the get and post variable into an array"

6. If you've applied the regex fix (eregi()) from Tradingeye in the index.php file and adminindex.php file then open up each of these files (in the root of your website) and remove it.

7. If you haven't applied the SESSION flag fix to log out unwanted users supplied by Tradingeye then I recommend that you do this. It is easy to get around but it's just an added level of security.

8. Finally, if your password contains any of the following: ' " < > = you will need to do the following. Open up your database administration tool (such as phpMyAdmin). Go into your Tradingeye database. Then in the SQL tab at the top enter the following

UPDATE PREFIX_tbAdmin_users SET vPassword = PASSWORD('YOUR PASSWORD') WHERE vUsername = 'YOUR USERNAME'

Here you will need to replace PREFIX with your chosen table prefix, YOUR PASSWORD with the password you either currently use or wish to use, and YOUR USERNAME with the username that you use to log into your admin area. Please remember, you only need to do this if your password contains a single quote, double quote, less than, greater than or equals sign.

9. You can then upload all of the changed files and run a few tests such as logging in, setting up a user account, setting up a customer account, searching on the site and adding a product. If you find you have any problems then please leave a comment below or if you wish to have private support then you are welcome to contact me however please appreciate that my time is limited, whereas others may be able to help via the comments here, on DotDragnet forum (very helpful people here, plus there is a Tradingeye thread on there) or on Twitter.

Update 08/08/11

As originally mentioned, this was always a quick fix which could potentially cause minor issues (or major to some people) to crop up. One such issue has been the appearance of 'rn' in their product descriptions. This is due to \r\n being stored in the database as new line characters for between HTML. Then on output, the backslashes are stripped by the standard Tradingeye code and leaves 'rn'. To fix this you will need to open up /modules/ecom/classes/main/shop_interface.php. On line 389 you should find

$this->ObTpl->set_var("TPL_VAR_LONGDESC", $this->libFunc->m_displayContent1($rowContent[0]->tContent));

You need to change this to

$this->ObTpl->set_var("TPL_VAR_LONGDESC", $this->libFunc->m_displayContent1(str_replace('\r\n', '', $rowContent[0]->tContent)));

And then on line 766 you should find

$this->ObTpl->set_var("TPL_VAR_LONGDESCMAIN", $this->libFunc->m_displayContent1($rowHead[0]->tContent));

and change this to be

$this->ObTpl->set_var("TPL_VAR_LONGDESCMAIN", $this->libFunc->m_displayContent1(str_replace('\r\n', '', $rowHead[0]->tContent)));

This will then remove the 'rn' output without affecting your output.

Please remember, if you are not confident in applying these fixes yourself, we can do them for you for a small fee. Please read the company's news post on the subject for further information.

¹ Credit goes to Anthony Sterling for the class code and function escape().
² Full credit to Anthony Sterling.

Disclaimer: All code is supplied as is. No warranty should be implied or is offered. This has been tested on a live version of Tradingeye v6.1 however I recommend that you should apply the updates and then complete a thorough testing of your website before allowing the general public to access it again.

He's 7.5 months old now, a happy and chilled out baby, and he's absolutely amazing. We both still can't believe he's ours

Anyway, I'm not going to bore you with chat of nappies (cloth of course), lack of sleep or his 'first' everything. I just wanted to leave a quick post to point out that I haven't forgotten this site and I hope to get back to at least the occasional post as I've got so much to write about. It's just a case of finding the time, usually once the little 'un has gone to bed

(Photo taken by David Anderson)

I've barely had much time for friends and family, let alone blogging. The baby is now due in 3 weeks time, but could come at any point between now and 5 weeks. I'm due to finish work next week (and not a week too soon!)

I've got a lot of posts in mind for here, catch up posts on new WordPress features, some examples of some of the major sites we've been working on recently etc. Time and baby permitting I hope to get some of these done before the end if the year but they'll be along at some point, I've not forgotten about this site

However, it'll be worth it especially as on Tuesday we both got the first glimpse of our baby to be during a scan at hospital. An amazing moment for both of us, especially as it confirmed that the baby's heart was beating fine and confirmed our due date of mid December

I'm still suffering with a lot of headaches and lack of sleep, although I'm starting to get used to them a bit more now, but it does mean that most of my time is either spent in bed nursing the pain or getting work done. Hopefully, on average, this should only last another week or two and then I'll be into my second trimester and apparently have a new lease of energy, and be able to get on with enjoying being pregnant… I'm counting the days!

So a few plans for this site may have to take a back seat for a while now as I need to spend any computer time working, earning and saving as much as possible and teaching David some PHP as he'll be running the company at first, once the baby comes. However I will try to get some non personal posts up here when I can, especially with WordPress 3.0's release just around the corner. RC2 is already out so it's worth having a play with to get ready for the final version

It's been a mad rollercoaster of a year from setting up as a limited company, getting engaged, losing a good friend, moving to a much better house, the birth of my nephew, getting married, making new friends, and now preparing for Christmas in our new home. So many highs but one major low.

I've also been a bit lost as to how to proceed with this site. It's gone through quite a few ideas and changes of subject content, from a personal blog with tech posts, to a business and tech blog, back to personal and tech with a bit of business and money making thrown in. My posting has slowed down a lot, at first due to writing twice a week for Blogging Tips, but I took a leave of writing for there over 6 months ago.

I feel like I've exhausted the subject of WordPress from the technical point of view, but maybe not from real world example point of view. A lot of what I write on WordPress and PHP could easily be found on hundreds of other blogs and sites. Plus I've not been keeping up with other blogs, my feedreader wonders who I am if I ever go there!

So over Christmas I need to work out what to do. I'm not going to drop the site but I need to get some focus back, possibly get my new design implemented (it's on paper, that's about it!) and kick start blogging again. I think it'll start to cover a broader range of topics, and as my photo blog just gets no attention from me at all, I'll probably bring my photo posts back here too.

Got lots to work out for the new year! There's a few things I can't really go into just now but January and the rest of 2010 is looking good Merry Christmas, happy holidays, and have a happy new year

Normal service should resume soon